Data breaches and cybersecurity incidents happen all the time. You like to think that it won’t happen to you, but it could. If it does, how will you respond? How will you explain the issue to the people who need to know? These questions tie into the concept of crisis communication, and it’s a lot to consider.
The good news is that the National Institute of Standards and Technology (NIST) has a whole guide to help you think about it.
Utilizing the NIST Cybersecurity Framework
The NIST updated the cybersecurity framework (CSF) in February of 2024. With that update, they reenvisioned how organizations can plan cybersecurity from the top down.
Concepts related to communicating security breaches have long been included in the NIST framework, but the latest version better outlines how organizations can strategize all components of security, including disaster responses.
The gist is that top-level leadership should be deeply involved in strategy and execution for the entire organization’s cybersecurity efforts. With that involvement, they are better equipped to understand incidents, and that informs communication. Combine that with the CSF’s best practice recommendations for communicating incidents, and you have a nice guide that can help you plan for the worst and come through incidents with less damage.
Why Crisis Communication Is Crucial
In fact, “damage” is a keyword here. Cyber incidents put entire organizations at risk. They can impact operations, hurt your bottom line, and risk your reputation.
Those concepts help motivate many leaders to stay on top of cybersecurity, but post-incident communication, in particular, can still impact each of these types of damage. Let’s look at them individually.
Financial
A devastating cyber incident can cause financial damage. If it impacts operations, you lose money. Those risks extend to anyone who works with your organization. Customers, partners, vendors, and other parties all face potential financial damage from your incident.
Anyone with a financial interest in the security issue has a right to know what happened, and clear, effective communication is the only path forward. In addition to meeting responsibilities, poor communication after an incident could cause stakeholders to pull out, further harming your bottom line.
Reputational
That leads to the concept of reputational damage. Any security incident can harm a reputation, but plenty of companies recover just fine from large incidents. It all comes down to crisis management and communication.
Effective communication shows how well you can respond to the incident, how you protect stakeholders, how you care about people who interact with your organization, and why you’re still trustworthy after the incident. Communication failures compound distrust, and a little later, you will see examples of organizations that collapsed from that distrust.
Legal
There are also legal elements. You have regulatory responsibilities in how you handle information. Some of those responsibilities outline exactly what you have to tell stakeholders in the face of an incident.
You can’t cover up a security failure. That creates many legal complications, but there’s more to consider.
Simple poor communication can still constitute legal failures on your part. You need to know these regulations and exactly what information needs to be apparent in your communications. Some of that will depend on your industry. Much of it will depend on the nature of the incident, but with that base knowledge, your risk of legal complications will likely stay manageable.
Examples of Good and Bad Crisis Communication
So, what does crisis communication look like?
Let’s start with a positive example.
In 2013, Target very famously and publicly faced a significant data breach. Customer information was stolen, and the company faced a crisis. The response was to directly inform every customer who might be affected (this number was in the millions). Target offered free credit monitoring services, and the company explained how it planned to improve security moving forward. Think about two things related to that example.
First, do you have any personal mistrust of Target’s cybersecurity? The brand certainly seems to have recovered fully from this incident.
Second, do any of those actions sound familiar? Target’s response was so positive that it became a template of sorts for any company in a similar position.
Mass announcements and free credit monitoring are considered standard responses these days, but Target committed to those without lawsuits, coverups, or any of the other negative responses you have seen happen in comparable scenarios.
What about a poor example?
Perhaps the most infamous of data breaches involved Equifax. In 2017, the company was compromised and data was stolen from millions of users. This issue was compounded by the fact that the majority of users never directly consented to having their data under Equifax’s control.
Worse, after Equifax discovered the breach, they sat on the information for a full month before making any announcements. This proved a critical error that increased Equifax’s liabilities in the lawsuits that followed. To date, the company has been fined more than $700 million with the risk of additional fines still pending.
Digging into the NIST CSF
You want to be on the right side of communication if and when an incident occurs. The NIST CSF can help with that, especially when you hone in on the “respond” and “recover” sections.
Respond
By the name, you expect this to cover responses to an incident, and you’re right.
The CSF covers actions you should take in the event of a security breach, and some of those pertain specifically to communication. There are no hard rules here. Most regulations cite a “reasonable period of time” for when you need to notify customers. As for who you need to notify, that includes anyone who is (or is likely to be) directly impacted by the incident.
It’s a lot to cover, but a summary looks something like this. If you discover a breach, you want to find out the scope of that breach as fast as you can. If that’s going to take time, then a blanket statement can go a long way. Something to the effect of “a security incident has occurred, and an investigation is underway,” can save you in terms of liability. As you get more concrete information, update the relevant stakeholders.
Recover
As for disaster recovery, that mostly covers how the organization can mitigate damage, get everything back to working order, and prevent additional problems. Still, some elements tie directly into communication, and it’s straightforward. Explain to stakeholders what happened and what measures you are taking moving forward. If their data was compromised, explain how you can mitigate the issue (such as offering free credit monitoring). Also, demonstrate how you can prevent future incidents.
Who Needs to Be Informed?
You keep reading about stakeholders, so who exactly needs to know? Again, that’s going to depend on the specifics of the incident, but there are a few general guidelines for you. First, anyone who was directly impacted by the incident needs to know. If data is stolen, the owners of the data need to know. That one is easy.
Second, people invested in your organization might also have a right to know. This would include shareholders, business partners, and the like.
Third, if you have legal concerns about fallout from the incident, law enforcement, and/or the government needs to know. The Federal Trade Commission provides resources to help you there.
If the scope of the incident is great enough, then public announcements become necessary. Those announcements should follow the same guidelines as your other communications. State what you know for sure, what you are doing, and how follow-up communications will be conducted.
Using NIST to Prepare in Advance
As you go through the CSF, it will force you to think about how incidents can occur and what that might mean for your organization.
An essential component of NIST is identifying risks and creating strategies to deal with them. In that process, you should also think about how you would communicate with stakeholders if your efforts failed. Pre-planning can help you avoid mistakes that might otherwise be easy to make amid a crisis.
Elements of a Solid Crisis Communication Plan
What Should You Communicate in the First Hours?
You want to focus on concision in early messages. Clarity and accuracy matter a lot here. In the first few hours, you usually don’t know everything, so don’t try to create comprehensive messages. Instead, focus on the things you know with absolute certainty. That might lead you to vague language, but overcommitting is a mistake here.
Key elements that you often will know early might include when the incident occurred, the actions you have taken so far in response to it, and who is most likely to be affected. You probably won’t have a master list of the affected, but even a general idea helps with early communication.
Ongoing Communication Strategies
You want to customize these strategies around the nature of the incident. Minor incidents require less communication. Major incidents require more. The primary question here is how will you notify impacted parties. You can send emails. You can make press releases. You can get a news segment. You can send out SMS alerts. You can use your proprietary app. The options are vast, and you will likely use multiple channels of communication. Still, figure this out now, before you have a breach, and you’ll be that much better prepared.
How to Keep Stakeholders Informed
As you continue communication, clarity, and accuracy remain your top priorities. Even as an honest mistake, misinformation compounds your problems. So, plan regular updates based on information coming from your security team, and let people know what you know in clear terms. If the issue is contained, make an announcement. If you’re doing a forensic investigation, announce it. You get the idea.
“Protect” Training
Putting all of this together, planning for crisis communication only works if you let your people know about it. That boils down to cybersecurity training. Build your plan, and then make sure everyone in the organization knows their roles in ongoing security and crisis management.
Key communicators should already know what is expected of them before any cyber incident can occur. Try to do some drills or practice sessions to lock it all down, and you can find yourself on the positive side of incident communication. Contact Graffen today to see how we can help your organization.